 Hello, my name is Akira. I'm from Austin University in Denmark. So in this video, I'm going to give you all a view of our crypto paper, Music.L, lattice-based signature with single-round online face. This is a joint work with Cecilia Bostini from Technion and Reisman University in Israel and MediTibs from NTT in Japan. So let's get started. So what is a multi-nature? So multi-nature is a generalized version of the user signature scheme where there are many different signers holding individually generated secret keys. So first, the parties interact with each other and then after some are back and forth, they produce a single signature on the same message M. Then the verifier takes a list of the public keys that participated in the signing operation. Then outputs reject to accept. So our goal is to construct a lattice-based signature using some interactions. So our starting point is a Schnoll's identification scheme. So recall that in the discrete log setting, the Schnoll pruber first commits to the randomness and then upon receiving some challenge, the pruber outputs a response by Z. So once you have a Schnoll, it is known that you can instantiate the lattice-based identification protocol which is originated in the Livashevsky's work. So here the pruber commits to the randomness but this time the randomness is sampled from either Gaussian or uniform distribution over some small range. Then upon receiving a challenge, now the pruber has to additionally perform the rejection sample. Because the randomness is small, the potential response value Z is not independent of the secret key. So then the pruber has to perform rejection sampling and abort in some cases. So there are a lot of Schnoll-like multi signatures with different techniques. So for example, using the existing technique called the commit and open or trapped or homomorphic commitment, you can instantiate three round or two round mid signatures, both in the discrete log setting and lattice setting. Okay. And then the latest works on this round of research, music 2 and DWMS, which requires only one round of interaction in the online phase. And the first round of interaction can be preprocessed in offline phase because the first message, the first commit message actually does not depend on the message to be sampled. So this is a very nice feature. However, unfortunately, the security proof of those existing scheme rely on either algebraic group model or one more discrete log assumption. So here the main technical challenge is whether we can construct a scheme with single round online phase from standard lattice assumptions. So in this work, we answer this question in the positive by proposing our scheme music L. So here's the overview of our scheme. So if you are familiar with music 2 or DWMS, you probably see a lot of similarities. In the first interaction, each party generates a lot of randomness and then they exchange many commit values. And then upon receiving some message to be signed, every party locally derives random linear combination coefficient and P. Then everybody obtains aggregated commit message U and then Pavo continues with the user catch-and-go operation. So an important difference with music 2 is that this random linear combination follows Gaussian instead of uniform. So because of this, you actually have to modify the rejection sampling because the potential value Z here depends on both the secret signing key and the random linear combination B. So you actually have to both recenter response value and also get rid of the dependence on the ocean to be. So our rejection sampling analysis actually takes care of this slightly modified rejection sampling operation. So in this work, we show that it is feasible to construct Piat-Shamen-Risabot mode signature with single round online face. And remarkably, we give a security proof in the classical random model from SIS and LW. And we require no one more assumptions as in music 2 or DWMS. So our proof is enabled by essentially two key techniques. First one is our generalized version of rejection sampling lemma. Also, we can exploit the pre-maged sampling algorithm of the Michel Picard based on the lab instructor. In our paper, we can give a detailed security proof rely on these techniques. Additionally, we also achieve non-interactive key aggregation. So this allows the verifier to take just aggregated single public key instead of many different public keys. So as a concurrent work, FlashHacker, Simkey and Jam recently proposed completely different lattice-based non-interactive mode signature using different techniques. Also in a slightly different security model. In this work, we mostly focused on the feasibility of the one round online face using analysis. So as a future work, we'd like to exploit, for example, NTRU so that we can minimize the overhead introduced by a random linear combination. Also, naturally, we are also interested in giving proof in the quantum random model. And additional one, additional interesting question is to give a simulation-based security of the mode signature instead of the game based one. So thank you so much for your attention. See you in crypto, soon.